b'U.S. DEPARTMENT OF COMMERCE\n          Office of Inspector General\n\n\n\n\n                 United States Patent and\n                       Trademark Office\n\n\n     Stronger Management Controls Needed\n\n     For the Patent Application Capture and\n\n      Review Automated Information System\n\n\n                      Final Report No. OSE-14926/August 2002\n\n\n                         PUBLIC\n                         RELEASE\n\n                             Office of Systems Evaluation\n\x0c                                              f...T OF Co\n\n                                      ~",YI\' ~#          ""i.\n                                                            ~\n\n\n\n\n                                     ~~;\n                                      CXJ\n                                      :.:.~\n                                              ~~7"ES\n                                                   if\'\n                                                         ..,;;\n                                                                 UNITED STATES DEPARTMENT\n                                                                 The Inspector    General\n                                                                 Washington. D.C.20230\n                                                                                            OF COMMERCE\n\n\n\n\n                                                                                  AUG2 2 2002\nMEMORANDUM FOR:\t              Nicholas P. Godici\n                              Commissioner for Patents\n                              United States Patent and Trademark Office\n\n                              Douglas J. Bourgeois\n                              Chief Information Officer\n                              United States Patent and Trademark Office\n\n\nFROM:\t                        Johnnie E. F                              .   ~       <\xc2\xad\n\nSUBJECT:\t                     Stronger Mana~vi ~~:ontroLs NeededfO~PPlication\n                              Capture and R:tZv~utomated Information System\n                              Final Inspection Report No. OSE-14926\n\nThis is the final report on our assessment of information security controls for the United States\nPatent and Trademark Office\'s (USPTO\'s) Patent Application Capture and Review (PACR)\nAutomated Information System. PACR captures, stores, and maintains digital images of U.S.\npatent applications, and retrieves and prints these documents as needed. USPTO relies on the\nhighly sensitive PACR system for day-to-day operations.\n\nOur evaluation concluded that physical security measures in place during our assessment\ngenerally provide appropriate protection for PACR equipment. We further determined, however,\nthat a risk assessment has not been conducted, the security plan is not approved, security controls\nhave not been tested and reviewed, contingency planning is needed, and specialized security\ntraining is needed.\n\nUnder the Government Information Security Reform Act, information security is the\nresponsibility of federal agency senior management-the agency head, senior managers, and the\nchief information officer (CIO). The agency head has overall responsibility for ensuring the\nsecurity of information and information systems supporting agency operations and assets, and\nsenior officials are responsible for the information security of the systems that support their\nmission. Thus, the Commissioner for Patents is responsible for PACR information security. The\nagency CIO is required to administer the information security program agency wide, including\nassisting senior agency officials concerning their responsibilities.\n\nIn your written response to our draft report, you agreed with all our recommendations and\ndescribed corrective actions being taken or planned. The complete response is included as an\nattachment to this report and constitutes the action plan. We appreciate the cooperation and\ncourtesies extended to us by USPTO in conducting our review.\n\nAttachment\n\ncc:\t   James Rogan, Under Secretary of Commerce For Intellectual Property and Director ofthe\n         United States Patent and Trademark Office\n\x0cU.S. Department of Commerce                                             Final Inspection Report OSE-14926\n\nOffice of Inspector General                                                                   August 2002\n\n\n                                             INTRODUCTION \n\n\nThe Government Information Security Reform Act (GISRA) requires all federal agencies to\nperform annual reviews of their information security programs and requires the Office of\nInspector General (OIG) for each agency to conduct independent evaluations of those programs.\nAs part of our effort to fulfill this requirement, in March 2002 we issued a report, Additional\nSenior Management Attention Needed To Strengthen USPTO\xe2\x80\x99s Information Security Program1,\nwhich evaluated the United States Patent and Trademark Office\xe2\x80\x99s (USPTO\xe2\x80\x99s) information\nsecurity policies and procedures, roles and responsibilities, and adherence to applicable laws,\nregulations, and guidance.\n\nGISRA requires each agency\xe2\x80\x99s OIG to also conduct reviews of security controls for individual\nsystems. To help fulfill this requirement and as a follow-on effort to our earlier USPTO\nentitywide review, we chose to evaluate security controls for USPTO\xe2\x80\x99s Patent Application\nCapture and Review (PACR) system because PACR is a highly sensitive system necessary to\nUSPTO\xe2\x80\x99s daily operations.\n\n\n                                              BACKGROUND\n\nPACR provides the capture, storage, maintenance, retrieval, and printing of digital images of\nU.S. patent applications. PACR relies on USPTO\xe2\x80\x99s local area network (LAN), PTONet, to\nsupport data processing associated with patent applications. At the time we selected PACR for\nreview, version 3.0 was the operational system. At our entrance conference with USPTO on\nJanuary 29, 2002, USPTO informed us that the Cylink Secure Domain Units used to encrypt\npatent application data transmitted on PTONet had been replaced by Redbrook Ravlin encryption\ndevices. The transition from the Cylink to the Ravlin devices had been planned as part of the\nupgrade to PACR version 3.5, scheduled for deployment in March 2002. The deployment\noccurred in March as anticipated, and PACR version 3.5 included the transition to the Ravlin\ndevices as well as additional enhancements. In May 2002, USPTO began transitioning PACR\nfrom PTONet to PTONet II, the upgraded USPTO-wide LAN.\n\nIn response to our earlier report, USPTO initiated a contractor-supported certification and\naccreditation2 (C&A) pilot project for five of its critical systems. USPTO identified PACR as\none of those systems after we began our evaluation. For each of the systems, the C&A pilot\nproject will provide the following:\n\n    \xe2\x80\xa2   risk assessment,\n    \xe2\x80\xa2   updated security plan,\n    \xe2\x80\xa2   vulnerability assessment,\n    \xe2\x80\xa2   business continuity plan,\n\n1\n  Office of Inspector General. 2002. Additional Senior Management Attention Needed To Strengthen USPTO\xe2\x80\x99s\nInformation Security Program, Final Inspection Report No. OSE-14816/March 2002. Washington, DC: Office of\nInspector General U.S. Department of Commerce.\n2\n  Certification is the formal testing of the security safeguards implemented in a computer system to determine\nwhether they meet applicable requirements and specifications. Accreditation is the formal authorization by\nmanagement for system operation, including an explicit acceptance of risk.\n                                                        2\n\n\x0cU.S. Department of Commerce                                             Final Inspection Report OSE-14926\n\nOffice of Inspector General                                                                   August 2002\n\n\n    \xe2\x80\xa2   security test and evaluation (ST&E) plan, and\n    \xe2\x80\xa2   certification and accreditation package.\n\n\n                          OBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of our evaluation was to conduct an independent assessment of the implementation\nof information security controls for PACR. We used NIST\xe2\x80\x99s Security Self-Assessment Guide for\nInformation Technology Systems,3 as the basis for evaluating controls in three categories:\nmanagement, operational, and technical. Because of resource and time constraints, we selected a\nsubset of these controls for evaluation. Table 1 identifies the controls we chose to assess. We\nfurther reduced the set by eliminating technical controls because USPTO was unable to provide\naccurate, consistent information about the system and to avoid duplication of effort, since the\npilot project will evaluate technical controls for PACR.\n\nTable 1          Security Controls Selected for Assessing PACR\n\nControl Category                                Control                             Selected\n                        Risk Management                                                X\n                        Review of Security Controls                                    X\nManagement              Life Cycle                                                     X\n                        Authorize Processing                                           X\n                        System Security Plan                                           X\n                        Personnel Security\n                        Physical Security                                               X\n                        Production, Input/Output Controls\n                        Contingency Planning                                            X\nOperational             Hardware and Systems Software Maintenance\n                        Data Integrity\n                        Documentation\n                        Security Awareness, Training, and Education                     X\n                        Incident Response Capability\n                        Identification and Authentication                               X\nTechnical               Logical Access Controls                                         X\n                        Audit Trails                                                    X\n\n\nDuring our evaluation, we reviewed PACR system documentation, conducted interviews with\nUSPTO personnel and managers involved in PACR development and information security, and\nvisited USPTO facilities where equipment to support PACR operations is located.\n\n\n\n\n3\n National Institute of Standards and Technology. 2001. Security Self-Assessment Guide for Information Technology\nSystems, NIST Special Publication 800-26. Gaithersburg, MD: National Institute of Standards and Technology.\n\n                                                       3\n\n\x0cU.S. Department of Commerce                                    Final Inspection Report OSE-14926\nOffice of Inspector General                                                          August 2002\n\nUSPTO is already implementing the recommendations from our March 2002 review, which\nshould address many of the problems found in this current review. For those concerns currently\nbeing addressed, we make no new recommendations.\n\nOur evaluation was conducted in accordance with the Quality Standards for Inspections issued\nby the President\xe2\x80\x99s Council on Integrity and Efficiency and was performed under the authority of\nthe Inspector General Act of 1978, as amended, and Department Organization Order 10-13,\ndated May 22, 1980, as amended. Our fieldwork was conducted from January through May\n2002.\n\n\n                          FINDINGS AND RECOMMENDATIONS\n\nWe found that physical security measures in place during our evaluation provide appropriate\nprotection for equipment that PACR relies on to support USPTO operations. Our review further\ndetermined, however, that (1) management controls are not implemented and that both (2)\ncontingency planning and (3) specialized security training are needed.\n\nI.     Physical Security Measures Are Generally Appropriate\n\nThe PACR servers that store images of patent applications, as well as the firewall that affords\nprotection from unauthorized access to the servers, are located in a secure data center. Access to\nthe data center is controlled by a personnel badge reader and an electronic key card reader.\nUSPTO\xe2\x80\x99s Office of Information System Security effectively controls activation and deactivation\nof the badges and key cards. In addition, security personnel are on duty inside the data center 24\nhours per day, 7 days per week. Visitors must be authorized access and must display proper\nidentification while in the center, where they are escorted at all times. As an added control,\nsurveillance cameras continuously monitor the database server and surrounding areas.\n\nThe scanning servers that create the patent application images are located in a building separate\nfrom the building that houses the secure data center. These servers are located in a secure room\nwhose access is controlled by a cipher lock. Visitor access is controlled by a system\nadministrator, who also monitors the operational status of the servers.\n\nWe noted during our evaluation that the cipher combination to the room is not changed after\nemployees and contractors who have been given the combination terminate employment or\ncontractual obligations with USPTO. In response to our concern, USPTO is developing an\nagency-wide policy for changing cipher combinations.\n\nFurther, USPTO plans to move the scanning servers from the secure room to the secure data\ncenter where the remaining servers and the firewall are housed.\n\n\n\n\n                                                4\n\n\x0cU.S. Department of Commerce                                     Final Inspection Report OSE-14926\nOffice of Inspector General                                                           August 2002\n\nRecommendation\n\nWe recommend that the Commissioner for Patents and the USPTO Chief Information Officer\nensure that the agency establishes and implements a policy requiring that cipher combinations be\nchanged (1) when employees and contractors who have the combinations depart USPTO service\nor no longer require access and (2) on a periodic basis.\n\nII.      Management Controls Are Not Implemented\n\nManagement controls focus on the management of the information technology security aspects\nof a system and the management of risk. For PACR, we found that management controls are not\nfully implemented for the following reasons:\n\n\xe2\x80\xa2     a risk assessment has not been conducted,\n\xe2\x80\xa2     the security plan is not approved,\n\xe2\x80\xa2     the operational system has not been accredited,\n\xe2\x80\xa2     security controls have not been tested and reviewed periodically, and\n\xe2\x80\xa2     life cycle management deficiencies exist.\n\nA.       Risk Assessment of PACR Has Not Been Conducted\n\nA current risk assessment for a system is the foundation of a risk-based approach to information\nsecurity because it is designed to identify threats and vulnerabilities so appropriate security\nmeasures can be implemented. GISRA requires program officials to determine and assess risks\nto the operations and assets they control, and OMB Circular A-130, Management of Federal\nInformation Resources, requires agencies to use a risk-based approach to determine adequate\nsecurity measures.\n\nNo risk assessment has been performed for any version of PACR; therefore, it is not possible to\ndetermine whether security measures are adequate to deal with existing threats and\nvulnerabilities. USPTO recognized this deficiency and tasked a contractor to conduct a risk\nassessment for the operational PACR system as part of the ongoing C&A pilot project.\n\nB.       Security Plan Is Not Approved\n\nThe Computer Security Act of 1987 requires that security plans be developed for all federal\ncomputer systems that contain sensitive information. A system security plan provides an\noverview of system security requirements and describes the controls in place or planned for\nmeeting those requirements. It also delineates responsibilities and expected behavior of all\nindividuals who access the system. Since the plan establishes the security controls, it should\nlogically form the basis for accreditation of the system. The security plan should be reviewed\nannually and revised as needed to ensure that security controls can handle significant changes to\nthe system and address rapidly changing threats.\n\nAt USPTO, the project manager is responsible for preparing and maintaining the information\nsystem security plan throughout the system\xe2\x80\x99s life cycle, with assistance from the information\nsystem security officer (ISSO).\n\n                                                  5\n\n\x0cU.S. Department of Commerce                                             Final Inspection Report OSE-14926\nOffice of Inspector General                                                                   August 2002\n\nAlthough security plans have been developed for PACR, USPTO was unable to provide official\nsign-off or approval pages or documented Technical Review Board4 action to indicate that any of\nthese plans have been officially approved. Hence, PACR lacks a critical component\xe2\x80\x94an\napproved security plan\xe2\x80\x94needed for accreditation. The most recent PACR security plan will be\nupdated during the ongoing pilot project.\n\nC.      Security Controls Have Not Been Periodically Tested and Reviewed\n\nOMB Circular A-130 requires that agencies perform a formal management review of security\ncontrols at least every 3 years. Such reviews should also be conducted when significant changes\nare made to a system. Reviews should include an independent assessment of security controls\nand can include network scans, analysis of network device settings, and penetration testing.\nTesting and reviewing security controls are critical factors for system accreditation.\n\nTesting of security controls for PACR has not been performed. USPTO has tasked a contractor\nto conduct a vulnerability assessment for the operational PACR system as part of the pilot\nproject. As part of the vulnerability assessment, the contractor will use a detailed questionnaire\nto assess the effectiveness of management, operational, and technical controls and will use a\nnetwork scanner (CyberCop) provided by USPTO to determine the effectiveness of controls\nagainst known vulnerabilities. If this assessment is comprehensive and thorough, it should\nadequately test PACR security controls.\n\nIn response to our previous evaluation, USPTO is putting a process in place to periodically test\nand review security controls related to each system.\n\nD.      System Has Not Been Accredited\n\nOMB Circular A-130 requires management officials to formally authorize the use of a system\nbefore it becomes operational and re-accredit the system whenever a significant change is made\nor at least every 3 years. By authorizing processing, a management official acknowledges an\nunderstanding and acceptance of the risks associated with putting the system into operation.\n\nNo version of PACR has been accredited as yet; however, USPTO and contractor personnel are\npreparing certification and accreditation materials, which will lead to accreditation of PACR, as\npart of the C&A pilot project.\n\n\n\n\n4\n  The Technical Review Board conducts reviews of work products and plans during the life cycle of an automated\ninformation system.\n                                                       6\n\n\x0cU.S. Department of Commerce                                                  Final Inspection Report OSE-14926\nOffice of Inspector General                                                                        August 2002\n\nE.         Life Cycle Management Deficiencies Found\n\nSecurity Considerations of System Design Changes Are Not Well Planned\n\nUSPTO is currently making the transition from its local area network (LAN), PTONet, to\nPTONet II, a more capable LAN based on current network technology. The LAN allows\nUSPTO users to communicate with servers, send and receive e-mail, execute applications, search\nfor information, and support business processes. Because USPTO\xe2\x80\x99s LAN supports processing\nassociated with patent applications, the transition will require changes to PACR network\ncomponents and related software.\n\nUSPTO\xe2\x80\x99s PTONet II Production Installation Plan states that the transition for systems such as\nPACR would be planned well in advance, and meetings would be conducted with system\ndevelopment managers, other USPTO officials, and contractor managers responsible for PTONet\nII installation. These meetings were to address such issues as changing internet protocol\naddresses5 for PACR network components to accommodate PTONet II. However, PACR system\ndesign changes to accommodate PTONet II do not appear to have been well planned, nor did\nthey adequately consider network security implications. We reached these conclusions because,\njust prior to the initial transition step for PACR, USPTO was unable to identify required software\nchanges and necessary modifications and additions to firewall rules. Furthermore, the ISSO was\nunaware that these changes were about to be made, even though the Office of Information\nSystem Security, which is under the direction of the ISSO, is responsible for reviewing and\nauthorizing proposed firewall changes.\n\nDraft procedures for implementing PACR network and firewall changes were issued after initial\ntransition attempts failed. Since the completion of our fieldwork, the transition of PACR to\nPTONet II was successfully completed.\n\nUSPTO needs to better plan and coordinate information technology changes that affect security\naspects of interconnected systems.\n\nDocumentation Does Not Reflect Current System\n\nSystem documentation should be current and accurate to support testing, training, modification,\nand maintenance activities. The quality and utility of supporting documentation can be\nconsidered a primary measure of the health and well-being of a software project.6\n\nTo understand the network and security architecture of PACR, we reviewed available system\ndocumentation and attended briefings provided by USPTO. (As noted previously, USPTO had\nno record of an approved information security plan for PACR.) We found that:\n\n\xe2\x80\xa2\t     available documentation does not reflect the current system;\n\xe2\x80\xa2\t     network topology diagrams, four in all, have the same issuing date but each differs from the\n       others and none accurately describes the then-current or planned topology; and\n\n\n5\n    An internet protocol (IP) address identifies a specific computer or device on a network.\n6\n    Fairley, R. 1985. Software Engineering Concepts. New York: McGraw-Hill , p. 220.\n                                                            7\n\n\x0cU.S. Department of Commerce                                          Final Inspection Report OSE-14926\nOffice of Inspector General                                                                August 2002\n\n\xe2\x80\xa2\t     for the High-level Architecture document and Operational Support Plan, discrepancies exist\n       between their network topology diagrams, equipment lists, and points of contact.\n\nUSPTO needs to improve its process for keeping documentation current and tracking its status.\n\nRecommendations\n\nWe recommend that the Commissioner for Patents and the USPTO Chief Information Officer\nmake certain that agency managers ensure that:\n\n1.        PACR system documentation is updated to reflect the current operational system, and\n\n2.        a process to track document approval is established and enforced.\n\nIII.      Contingency Planning Is Needed\n\nOMB Circular A-130 states that managers should develop plans for how they will perform their\nmission and recover from the loss of system support. The circular also notes that testing a\ncontingency plan significantly improves its viability, and plans that have not been tested, or have\nnot been tested recently, may mask an agency\xe2\x80\x99s ability to recover in a timely manner.\n\nPACR has no contingency plan, but USPTO is developing a Business Continuity Plan as part of\nthe ongoing C&A pilot project.\n\nIV.       Specialized Security Training Is Needed\n\nGISRA requires chief information officers to ensure the training of personnel who have\nsignificant responsibilities for information security. However, PACR system administrators have\nnot received specialized security training. USPTO has agreed with our earlier recommendation\nto develop a comprehensive information security training and education program based on job\nfunctions, roles, and responsibilities using NIST Special Publication 800-16.7 Thus, PACR\nsystem administrators should receive specialized training as this program is implemented.\n\n\n\n\n7\n Information Technology Laboratory. 1998. Information Technology Security Training Requirements: A Role- and\nPerformance-Based Model. Gaithersburg, MD: U.S. Department of Commerce National Institute of Standards and\nTechnology.\n                                                      8\n\n\x0c\x0c\x0c'